book

IBM z/OS V2R2 Communications Server TCP/IP Implementation: Volume 4 Security and Policy-Based Networking

Name: IBM z/OS V2R2 Communications Server TCP/IP Implementation: Volume 4 Security and Policy-Based Networking
ISBN: 9780738442242

by Bill White, Octavio Ferreira, Teresa Missawa, Teddy Sudewo

March 2017

Intermediate to advanced

945 pages

28h 9m

English

IBM Redbooks

Read now

Unlock full access

Front cover
Notices
Trademarks
Preface
AuthorsNow you can become a published author, too!Comments welcomeStay connected to IBM Redbooks
Chapter 1. RACF demystified
1.1 RACF basic concepts1.2 Protecting your network resources1.3 Protecting your programs1.3.1 Authorized Program Facility1.3.2 Program protection by RACF resource class PROGRAM1.3.3 Program Access Control1.3.4 Controlling program access by SYSID1.3.5 The sticky bit in the z/OS UNIX environment1.4 Associating a user ID with a started task1.5 Setting up security for daemons in z/OS UNIX1.6 RACF multilevel security for network resources1.6.1 Basic MLS concepts1.6.2 Security levels1.7 Digital certificates in RACF1.8 More information
Chapter 2. Protecting network resources
2.1 SERVAUTH resource class2.2 Protecting your TCP/IP stack2.2.1 Stack access overview2.2.2 Example setup2.3 Protecting your network access2.3.1 Network access control overview2.3.2 SAF audit records2.3.3 Server considerations2.3.4 Using NETSTAT for network access control2.3.5 Working example of network access control2.4 Protecting your network ports2.4.1 PORT/PORTRANGE SAF keyword2.4.2 Using NETSTAT to display Port Access control2.5 Protecting the use of socket options2.5.1 SO_BROADCAST socket option access control2.5.2 IPv6 advanced socket API options2.6 Protecting sensitive network commands2.6.1 z/OS VARY TCPIP command security2.6.2 TSO NETSTAT and UNIX onetstat command security2.6.3 Policy agent command security2.6.4 IPSec command access control2.6.5 EZACMD console command security2.6.6 Additional information2.7 Protecting FTP2.7.1 Restricting certain users from logging into FTP server2.7.2 Protecting other FTP related resources2.8 Protecting network management resources2.8.1 SNMP agent control2.8.2 TCP connection information service access control2.8.3 CIM provider access control2.9 Protecting miscellaneous resources2.9.1 Digital Certificate Access Server access control2.9.2 MODDVIPA utility program control2.9.3 DVIPA activation and movement Control2.9.4 Fast Response Cache Accelerator access control2.9.5 Real-time SMF information service access control2.9.6 TCP/IP packet trace service access control2.9.7 TCP/IP stack initialization access control2.9.8 RPCBIND application registration control
Chapter 3. Certificate management in z/OS
3.1 Digital certificates overview3.1.1 Digital certificate overview3.1.2 How digital certificates work3.2 Digital certificate types3.2.1 Certificate authority certificates3.2.2 User (personal) certificates3.2.3 Site certificates3.2.4 Obtaining a digital certificate3.3 Configuring the utilities to generate certificates in z/OS3.3.1 Utilities in z/OS for managing certificates3.3.2 Digital certificate field formats3.3.3 Using the RACF RACDCERT command3.3.4 Using the gskkyman command3.4 Using certificates in sample IBM environments3.4.1 Host On-Demand and certificates3.4.2 Shared site certificate and shared key ring3.4.3 Self-signed certificates3.4.4 Internal (local) certificate authority3.4.5 External (well-known) certificate authority
Chapter 4. Policy agent
4.1 Policy agent description4.1.1 Basic concepts4.1.2 Where and how to define policies4.2 Implementing PAGENT on z/OS4.2.1 Starting PAGENT as started task4.2.2 Starting PAGENT from UNIX4.2.3 Stopping PAGENT4.2.4 Disabling PAGENT policies for IPSec4.2.5 Basic configuration4.2.6 Coding policy definitions in a configuration file4.2.7 Refreshing policies4.2.8 Policy infrastructure management4.2.9 Verification4.2.10 Centralized policy server4.2.11 More information4.3 Setting up the Traffic Regulation Management daemon4.3.1 Starting TRMD using PAGENT4.3.2 Setting up the started task procedure4.3.3 Starting TRMD from z/OS UNIX4.3.4 Defining the security product authorization for TRMD4.3.5 TRMDSTAT4.4 Configuration Assistant for z/OS Communications Server4.4.1 Using z/OSMF Configuration Assistant4.4.2 General configuration steps using the Configuration Assistant4.4.3 Discovery of TCP/IP profile function4.4.4 Common configuration of multiple stacks4.5 Connection flooding4.6 Backup and migration considerations4.6.1 Backing store file4.6.2 Migrating backing store files to z/OSMF Configuration Assistant4.6.3 Importing (merging) backing store files4.6.4 Importing the policy file to Configuration Assistant4.7 More information
Chapter 5. Centralized policy server
5.1 Background5.2 Basic concepts5.3 Configuring distributed (centralized) policy services5.3.1 Configuring base environment with SSL5.3.2 Configuring the policy server5.3.3 Configuring the policy client5.3.4 Correlating the definitions at the policy server and policy client5.4 Activating and verifying the policy services environment5.5 Diagnosing the centralized policy services environment5.6 Configuring the centralized policy server without SSL security5.7 More information
Chapter 6. Quality of service
6.1 Quality of service overview6.1.1 Differentiated Services6.1.2 QoS with z/OS Communications Server6.1.3 PAGENT QoS policies6.1.4 Migrating TR QoS policies to intrusion detection services policy function6.2 Configuring QoS in the z/OS Communications Server6.2.1 Policies6.2.2 Differentiated Services rule6.2.3 More information6.3 QoS implementation6.3.1 Using the Configuration Assistant to configure QoS6.3.2 Including QoS in the policy agent configuration6.4 Verifying and diagnosing the QoS implementation6.4.1 Available management tools6.4.2 z/OS Communications Server SNMP SLA Subagent
Chapter 7. IP filtering
7.1 Define IP filtering7.1.1 Basic concepts7.1.2 IP filter policy types7.2 z/OS IP filtering implementation7.2.1 Enabling IP Filtering7.2.2 Configuring default IP filter policy7.2.3 Configuring IP security filter policy using PAGENT7.2.4 QDIO acceleration coexistence with IP filtering7.2.5 Problem determination7.2.6 More information

Chapter 8. IP Security
8.1 IPSec overview8.2 Basic concepts8.2.1 Key components8.2.2 IP Authentication Header protocol8.2.3 IP Encapsulating Security Payload protocol8.2.4 Internet Key Exchange protocol: Pre-shared key and RSA signature mode8.3 Current IPsec support8.3.1 IKE version 2 (IKEv2) support8.3.2 IPSec support for certificate trust chains8.3.3 IPSec support for certificate revocation lists8.3.4 IPSec support for cryptographic currency8.3.5 IPSec support for FIPS 140 cryptographic mode8.3.6 Improved FIPS 140 diagnostics8.3.7 AES cryptographic support for integrated IPSec in a VPN8.3.8 Trusted TCP connections8.3.9 zIIP Assisted IPSec function8.4 Working with the z/OS Communications Server Network Management Interface8.5 How IPSec is implemented8.5.1 Installing the PAGENT8.5.2 Setting up the Traffic Regulation Management daemon8.5.3 Updating the TCP/IP stack to activate IPSec8.5.4 Restricting the use of the ipsec command8.5.5 Installing the IBM Configuration Assistant for z/OS Communications Server8.5.6 IPSec scenarios8.5.7 Defining the IPSec policies to PAGENT8.5.8 Setting up the IKED8.5.9 RACF certificate definitions for IKED8.5.10 Setting up the system logging daemon (SYSLOGD) to log IKED messages8.5.11 Starting the IKED and verifying initialization8.5.12 Commands used to administer IP security8.6 Configuring IPSec between two z/OS systems: Pre-shared key mode using IKEv28.6.1 Using z/OSMF Configuration Assistant to set up the IPSec policies8.6.2 Installing the configuration files8.6.3 Verifying IPSec between two z/OS images8.7 Configuring IPSec between two z/OS systems: RSA signature mode using IKEv18.7.1 Generating certificates for IKEv1 RSA signature mode8.7.2 Creating the IPSec filters and policies for the IPSec tunnel8.7.3 Modifying policies to use RSA signature mode8.7.4 Verifying IKE with RSA signature mode8.7.5 Diagnosing IKE with RSA signature mode8.8 More information
Chapter 9. Network Security Services for IPSec clients
9.1 Basic concepts9.1.1 IKED overview9.1.2 NSS solution for IKED Clients: IPSec discipline9.2 Configuring NSS for the IPSec discipline9.2.1 Preliminary tasks overview9.2.2 NSS client and NSS server9.2.3 Preparing for configuration9.2.4 Configuring the NSS environment9.2.5 Configuring prerequisites for NSS for an IKED Client9.2.6 Configuring authorizations for NSS9.2.7 Configuring the NSS server for an IKED Client9.2.8 Enabling an IKED NSS client to use NSS9.2.9 Creating NSS files for IKED Client using z/OSMF Configuration Assistant9.3 Verifying the NSS environment for the IKED Client9.3.1 Making NSS configuration and policy files available9.3.2 Initializing NSSD and the NSS client9.3.3 NSS and IKE displays on SC33 and SC329.4 Diagnosing the NSSD environment9.4.1 Resources and guidance9.4.2 Examples of logging information for diagnosis9.5 Worksheet questions for NSSD implementation (IKED client)9.6 More information
Chapter 10. Network Security Services for WebSphere DataPower appliances
10.1 Basic concepts10.1.1 NSS benefits10.1.2 Review of DataPower10.1.3 The NSS solution for XMLAppliance Clients: SAF service10.1.4 NSS solution for XMLAppliance clients: Private key and certificate services10.2 Configuring NSS10.2.1 NSS configuration for an NSS XMLAppliance Client overview10.2.2 Preparing for configuration10.2.3 Configuring the NSS environment at z/OS10.2.4 Creating NSS Server files for an NSS XMLAppliance Client with IBM Configuration Assistant10.2.5 Configuring the NSS environment at the WebSphere DataPower SOA Appliance to support the SAF access service10.2.6 Configuring the NSS environment at the Web Services Requester10.3 Verifying the NSS configuration with the NSS Client (XML Appliance Discipline)10.3.1 Operations with z/OS NSS Server10.3.2 Operations with the DataPower appliance and Client10.3.3 Operations with the Web Services Requester platform10.4 More information10.5 NSS configuration worksheet for an NSS XMLAppliance client
Chapter 11. Network Address Translation traversal support
11.1 Network Address Translation11.1.1 One-to-one NAT11.1.2 Network Address Port Translation11.2 IPSec and NAT incompatibilities11.3 NAPT traversal support for integrated IPSec/VPN11.3.1 Enabling NAPT traversal support for IPSec11.3.2 Testing and verification
Chapter 12. Application Transparent Transport Layer Security
12.1 AT-TLS overview12.1.1 What is AT-TLS12.1.2 How AT-TLS works12.1.3 Applying AT-TLS12.2 AT-TLS Implementation example: REXX socket API12.2.1 REXX AT-TLS support12.2.2 REXX AT-TLS support configuration12.2.3 Activating and verifying REXX AT-TLS support12.3 Problem determination for AT-TLS12.4 For more information about AT-TLS
Chapter 13. Intrusion detection services
13.1 Intrusion detection services overview13.2 Basic concepts13.2.1 Scan policies13.2.2 Attack policies13.2.3 IPv6 Support13.2.4 IDS Reporting13.2.5 Traffic regulation policies13.3 Implementing IDS13.3.1 Installing the policy agent13.3.2 z/OSMF Configuration Assistant13.3.3 Configuring IDS policy using the z/OSMF Configuration Assistant13.3.4 Installing the IDS policy13.4 Sample displays13.4.1 IDS Support to detect IPv6 attacks13.4.2 Port scan13.4.3 More information about NetView and z/OS IDS
Chapter 14. IP defensive filtering
14.1 Defensive filtering overview14.2 Basic concepts14.2.1 Filter types14.2.2 Format of the ipsec command14.3 Implementing defensive filtering14.3.1 Enabling IPSec filtering in the TCP/IP stack14.3.2 Defining SAF (RACF) authorizations for defensive filtering14.3.3 Implementing the DMD procedure14.3.4 Operations and verification with defensive filtering14.3.5 Conclusions14.4 More information
Chapter 15. Policy-based routing
15.1 Policy-based routing concept15.2 Routing policy15.3 Implementing policy-based routing15.3.1 Policy-based routing using job name, protocol, and destination IP address15.3.2 Policy-based routing using protocol and port numbers
Chapter 16. Telnet security
16.1 Conceptual overview of TN3270 security16.1.1 What is TN3270 security16.1.2 How TN3270 security works16.1.3 How TN3270 security can be applied16.2 TN3270 native TLS connection security16.2.1 Description of TN3270 native connection security16.2.2 Configuring TN3270 native connection security16.3 Basic native TLS configuration example16.3.1 Enabling native TSL/SLL support for TN327016.3.2 Activating and verifying the configuration16.4 TN3270 with AT-TLS security support16.4.1 Description of TN3270 AT-TLS support16.4.2 Configuration of TN3270 AT-TLS support16.5 Basic AT-TLS configuration example16.5.1 Implementing TN3270 AT-TLS support16.5.2 Activating and verifying TN3270 AT-TLS support16.6 Problem determination for Telnet server security16.7 More information sources for TN3270 AT-TLS support
Chapter 17. Secure File Transfer Protocol
17.1 Conceptual overview of FTP security17.1.1 FTP security overview17.1.2 How FTP security works17.1.3 How FTP security can be applied17.2 FTP client with SOCKS proxy protocol17.2.1 SOCKS proxy protocol overview17.2.2 Configuration of SOCKS proxy protocol17.2.3 Activating and verifying the SOCKS proxy FTP17.3 FTP with native TLS support17.3.1 FTP native TLS security overview17.3.2 Configuring FTP native TLS security17.3.3 Activate and verify FTP server without security17.3.4 Activate and verify FTP server with TLS security: Internet draft protocols17.3.5 Activate and verify FTP server with TLS security: RFC4217 protocols17.3.6 Implicit secure TLS login17.4 FTP with AT-TLS security support17.4.1 FTP AT-TLS support overview17.4.2 Configuring FTP AT-TLS support17.4.3 Activating and verifying FTP AT-TLS support17.5 Migrating from native FTP TLS to FTP AT-TLS17.5.1 Migrating policies to a new release of z/OS Communications Server17.5.2 Details on migrating from TLS to AT-TLS17.6 FTP TLS and AT-TLS problem determination17.7 More information
Appendix A. Basic cryptography
A.1 Cryptography backgroundA.2 Potential problems with electronic message exchangeA.3 Secret key cryptographyA.4 Public key cryptographyA.5 Performance issues of cryptosystemsA.6 Message integrity
Appendix B. Telnet security advanced settings
B.1 Advanced native TLS configurationB.2 Advanced AT-TLS configuration using client ID groups
Appendix C. Configuring IPSec between z/OS and Windows
C.1 IPSec between z/OS and Windows: Pre-shared Key ModeC.2 IPSec between z/OS and Windows: RSA modeC.3 Setting up a Windows IPSec policy for RSA mode
Appendix D. zIIP Assisted IPSec
D.1 OverviewD.2 Configuring zIIP Assisted IPSECD.3 Example of zIIP Assisted IPSec implementation
Appendix E. z/OS Communications Server IPSec RFC currency
Appendix F. Implementation environment
F.1 Environment used for all four booksF.2 Our focus for this book
Related publications
IBM Redbooks publicationsOther publicationsOnline resourcesHelp from IBM
Back cover

Overview

Abstract

For more than 50 years, IBM® mainframes have supported an extraordinary portion of the world's computing work, providing centralized corporate databases, and mission-critical enterprise-wide applications. IBM z® Systems, the latest generation of the IBM distinguished family of mainframe systems, has come a long way from its IBM System/360 heritage. Likewise, its IBM z/OS® operating system is far superior to its predecessors in providing, among many other capabilities, world-class and state-of-the-art support for the TCP/IP Internet protocol suite.

TCP/IP is a large and evolving collection of communication protocols managed by the Internet Engineering Task Force (IETF), an open, volunteer organization. Because of its openness, the TCP/IP protocol suite has become the foundation for the set of technologies that form the basis of the Internet. The convergence of IBM mainframe capabilities with Internet technology, connectivity, and standards (particularly TCP/IP) is dramatically changing the face of information technology and driving requirements for ever more secure, scalable, and highly available mainframe TCP/IP implementations.

The IBM z/OS Communications Server TCP/IP Implementation series provides understandable, step-by-step guidance about how to enable the most commonly used and important functions of z/OS Communications Server TCP/IP.

This IBM Redbooks® publication is for people who install and support z/OS Communications Server. It explains how to set up security for your z/OS networking environment. With the advent of TCP/IP and the Internet, network security requirements have become more stringent and complex. Because many transactions are from unknown users and untrusted networks such as the Internet, careful attention must be given to host and user authentication, data privacy, data origin authentication, and data integrity. Also, because security technologies are complex and can be confusing, we include helpful tutorial information in the appendixes of this book.

For more information about z/OS Communications Server base functions, standard applications, and high availability, see the other following volumes in the series:

, SG24-8360

IBM z/OS V2R2 Communications Server TCP/IP Implementation Volume 1: Base Functions, Connectivity, and Routing

, SG24-8361

IBM z/OS V2R2 Communications Server TCP/IP Implementation Volume 2: Standard Applications

, SG24-8362

IBM z/OS V2R2 Communications Server TCP/IP Implementation Volume 3: High Availability, Scalability, and Performance

This book does not duplicate the information in these publications. Instead, it complements those publications with practical implementation scenarios that might be useful in your environment. For more information about at what level a specific function was introduced, see z/OS Communications Server: New Function Summary, GC31-8771.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

IBM z/OS V1R12 Communications Server TCP/IP Implementation: Volume 4 Security and Policy-Based Networking

Publisher Resources

ISBN: 9780738442242Purchase book

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills